Pierluigi Paganini
June 26, 2012
It’s not first time we discuss of cybercrime and in particular of its organizational models, creative servicex offer any kind of support to organizations and individuals that desire to conduct an attack against specific target.
Cyber criminals in the past have already used cloud architectures to rent computational resources to involve in powerful cyber attacks. Since now these platforms have been used to organize social networks for “customer care”, to develope file sharing services or to arrange hacking platforms to conduct automated pen test against the victims.
Unusual is the discovery made by a group of experts of the AlienVault, led by Alberto Ortega, on a new service that offers cyber-attack tools and hosting as part of malware-as-a-service.
Once again cybercrime operates as enterprise, the products proposed are tools for the organization of cyber attacks such as spam of malware, malware hosting, and a to build up a complete command and control infrastructure (C&C) for the arrangement of botnets.
The service is called Capfire4 and it’s a good example of C2C (Cybercrime to Cybercrime), the service provides technological support to criminals who haven’t necessary knowledge to conduct a cyber attack or to arrange a cyber scam.
How is provided the service?
In the simplest way, users can access to a Web portal that offers the possibility to create customized version of malware, to access to a management console to control bot of the infected networks. The owner of the portal proposed it as a service to remote control computers and recover passwords.
The service provided is cloud based and offers to the users a payment platform for the generation of malware and their control, all is documented with detailed tutorials.
The most popular malware on the portal are RAT (Remote administration tool), software created by to let the attacker spy on the victims with actions like keylogging, password stealing, command execution and remote access and controlling and screen capturing.
These tools are continually updated and improved to meet customer’s requirements, an excellent work made by specialists.
The platform also offer hosting service for the malware, once logged in the client can choose destination of the agent from a list of fake domains that appears like legitimate ones.
Of course the supply of similar services need of high skilled professional, the malware created must avoid antivirus and other defense system to be attractive for criminals. Due this reason the service provide also a rating mechanism for the detectability of the malware sold.
The platform also offer a management console, that uses HTTPS protocol with a valid certificate, for the malicious agent, client can use it to gain to complete control of infected system.
The researchers have discovered that is address of the C&C machine is from Brazil and it is always the same 174.142.93.226 , and the communication between the agents and the C&C is done using HTTP using other protocol from port 9000 for command execution.
The experts of AlienVault have also provided useful information regarding the platform and the detection of the malware sold, posting information on the C&C used, on the registration of the fake domains used for the hosting and providing the rules to detect the communication traffic and command execution requests.
Discoveries like these are of great concern for the following reasons:
Pierluigi Paganini
References
